You are in: Articles / Security / Defining and designing email security

Defining and designing email security

(by hjkim, MailRadar Community) When most people think about email security, they think in terms of virus and spam protection. The typical questions are: 'How do I protect my users from viruses and spam?', 'What about phishing?', 'How are Trojans and other threats stopped?'. What is missing is a comprehensive, holistic approach to email security.

The above are some of the issues that a company needs to consider. However, there are many other issues that need to be addressed:

  1. Educating the employees and helping them understand how security affects their livelihood
  2. Reviewing physical security regularly
  3. Checking the network security
  4. Validating the administrators managing your email server
  5. Software security

Email security encompasses much more than just anti-virus and spam protection. The biggest threat does not occur outside of the company; most of the threats are within the company where information can be easily shared and hacked.


Defining and designing email security

1. Educating the employees and helping them understand how security affects their livelihood
According to security experts, most of the theft and security breaches occur from within and not from outside of the company. Employees have access to your confidential customer database, salary information, and other highly sensitive data. They also have access to all the confidential emails that are meant for internal employees only.  We have seen throughout the years that many confidential emails are “leaked out” by employees and are passed all over the Internet.

2. Reviewing physical security regularly
In addition to educating the employees, physical security should be reviewed regularly.
Where is your email server located? What access do employees have to the system? What kind of redundancy/failover systems are in place? Where are the failover systems? Are they in the same location as your production email servers or are they at an offsite disaster recovery site?
Because email is a 24/7 critical application, the same planning needs to be made as any other business critical application. If it is hosted, what physical security has your hosted provider added? What SLA (service level agreement) guarantees are they promising?

3. Checking the network security
How well is your network protected? Firewall? Encrypted network?

4. Validating the administrators managing your email server
Who is managing your email server? How many people have access to the administrator userid?
It is recommended that two people have access to the administrator userid. The administrator password should be kept in a safe where a manager can access it and provide it to the appropriate person if the two people who have the administrator password are not available.
Who will manage your email when there is a disaster? Do you have a designated person who is responsible for making sure that email is running at all times?

5. Software security
Finally, there is software security. Most companies have anti-virus and anti-spam products installed on their servers to manage the attacks from foreign, unwelcomed intruders. Multiple products are available that address these issues. However, software security is more than just virus and spam protection; securing the email itself from others’ views requires email encryption software.  There are two types of encryption.
First, connection encryption secures the network connection between the user and the server. It does not secure the connection to the intended recipient. Second, email encryption secures the email itself so that the connection to the recipient does not need to be encrypted; however the recipient must have a private key to decrypt the message. A less secure method is the signed option that does not encrypt the message but checks for any alteration to the email when the intended recipient receives the email. The recipient receives a public key that confirms that the email has not been tempered or altered.

Too many times, the biggest security threat with email is the users themselves and their careless use of the password. Numerous cases have been reported with users writing down their password anywhere in their office area where anyone can see their password. Within companies, management of passwords needs to be practiced, however, a delicate balance is needed between the strictness of passwords, intervals used for password change, and their users’ ability to remember and manage their passwords.  If it is too strict, the users will cheat the system by writing it down somewhere or enter it somewhere so that they can remember it.  If it is not strict enough, then it is easy for someone to discover the password and access confidential information.
Rating: 12345
Leave a comment

Note: all fields marked with (*) are required
Comments (0)
Close send to email window

Verification code

Already a member?
Blacklist monitoring alerts
sign up Signup for our real-time monitoring service and receive email notifications each time one of your IPs gets blacklisted.
Free Signup
Mail Server Operating System Poll

What OS do you use for your email server?
disabled next

How many mailboxes do you currently manage?
previous next

Would you like to comment upon the choosing of this particular OS?

DNS Tools
Get IP status, owner and location, obtain its corresponding hostname or check specific ports.
Ping Statistics
Reverse DNS Lookup
Whois Info (IP owner)
GeoIP Information
Check Port
Open Relay Test
Test if your mail server is an open relay for spammers.
Blacklist Checker
Check if your IP is listed in DNS based email blacklists (DNSBL)